nticedump.doc

Cracker终结者——提供最优秀的软件保护技术

	 icedump 5.17 was the first version of our extension toolkit which adds
support for NTICE and Windows NT platforms. This document discusses NTICE and
Windows NT specific issues while using our tool. 
	
	 Currently only the memory dumper and the Bhrama activator has been
ported to nticedump. Expect other commands to be added in future versions, in
both nticedump and icedump.
	
	nticedump supports both 32 bit PM clients, in both ring-0 and ring-3
and 16 bit PM and (E)V86, DPMI, DOS4GW or any other DOS extender applications.


1. Commands Syntax
------------------

	1. Memory Dump: PAGEIN D BaseAddress Length FileName

		Example: PAGEIN D 400000 512 \??\C:\memory.dmp
			 PAGEIN D 400000 300 C:\memory.dmp 

	2. Pagein a memory page: PAGEIN D Address

		Example: PAGEIN D 400000

	3.Toggle dump Expert mode on/off: PAGEIN D

		Example: PAGEIN D

	4. Process Dump: PAGEIN B <Bhrama window name>

		Example: PAGEIN B ProcDump32 - Dumper Server

	5. File Load: PAGEIN L BaseAddress Length FileName

		Example: PAGEIN L 400000 512 \??\C:\memory.dmp
			 PAGEIN L 400000 300 C:\memory.dmp 

	6. Help  PAGEIN

		Example: PAGEIN


2. Notes about installation, patching ntice.sys and supported versions
----------------------------------------------------------------------

	Currently versions 3.22, 3.23, 3.24, 3.25, 4.00, 4.01, 4.05 are
supported by nticedump. Note that support for 3.25 is ensured only for the
original build, the updated one is not supported in this build of nticedump.
	For binding the binary images into ntice.sys, use the included patcher 
tool, ntid.exe, written by our friend G-Rom, author of the world-wide famous
Procdump. The utility is pretty straight-forward to use, so I won't comment
its usage now.
	Windows NT 3.51 is NOT supported and will NEVER be.


3. File system issues
---------------------

	Due to some changes in the load order for the file system device
drivers in Win2k, NTICE will complete initialization before any valid file
system driver is loaded. This situation is not handled by the current version
of nticedump, and therefore you have to be sure that a file system device was
mounted before trying to dump memory.
	Future versions of nticedump will allow a special mode of dumping
through locked memory buffers and queued IO to support dumping in this
situation.

(God, why should I bother with this? I doubt that anyone will ever need it :P)


4. Breakpoints and nticedump
----------------------------

	Altough nticedump can safely coexist with any kind of breakpoints, 
like a supplementary safety you should not have breakpoints active while
dumping on the following ntoskrnl.exe and win32 API's (or inside those
API's :P):

	ZwCreateFile
	ZwClose
	ZwReadFile
	ZwWriteFile
	RtlInitAnsiString
	RtlAnsiStringToUnicodeString
	RtlFreeUnicodeString
	MmIsAddressValid
	DbgPrint	
	KeAttachProcess
	KeDetachProcess
	GetCurrentProcessId
	FindWindowA
	SendMessageA
	BPINT 2E

	Any other breakpoints will not interfere with dumper. 


5. Specifying correct paths. Dumping with expert mode ON. 
---------------------------------------------------------
	
	Dumping memory to a file requires a FULL path name to the output file
name. Please note that from NT IO manager point of view, a string like
"C:\memory.dmp" is not a valid path name. I will not enter in details here
on how the NT IO manager interprets requests of this form for the Win32 
subsytem, and while such a path name is invalid. What I will tell you is that
you should use the following forms to pass the file name:

	 Expert Path Mode
	 ----------------

		The expert path mode is the default way of constructing paths
in nticedump. This mode is the only way to specify a valid path name before
the symbolic links to "C:" , "D:" .... "Z" are built.

	1. "\??\C:\filename.dmp"
		Will create file "filename.dmp" in root of drive C:
                                                
	2. "\SystemRoot\filename"
		Will create file "filename" in Windows NT root directory.

	3. "\device\Harddisk0\partition1\filename" 

		Will create file "filename" in root of drive C:

	Note that "\device\Harddisk0\partition1" is a valid object path name in 
NT at the executive level. Specifying the path through method 1 is the
preferred way, methods 2 or 3 being required only if you need to dump memory 
BEFORE the symbolic links to C: D: .... X: are created. A normal user should 
never have to use methods 2 or 3. "SystemRoot" symbolic link is created by
the IO manager before NTICE has completed initialization, so using this name
as a path component should be valid under any circumstances.


	 User Path Mode
	 ---------------
	
	The user path mode accepts as valid paths the "normal" way, which
any user should be familiar with. 

	Example:

	 "C:\memory.dmp"

Please note that you will be unable to dump before the drive letters' symbolic
links are initialized.
	

	Switching Expert mode on and off
	--------------------------------

	Executing the PAGEIN D command, without any other parameters, will
toggle expert mode on and off. A message is printed to the command window.


	Misc. issues. Limitations
	--------------------------
	

	Long filenames are fully supported, so a file name like
"ThisIsADumpCreatedWithIcedump" will be accepted without any problems.
Note that specifying an already existing file name will result in a superseed
operation, the old file contents being destroyed, without any warning and
without generating a backup of the old file. So think twice before dumping
to a file name like "\SystemRoot\System32\ntoskrnl.exe" ;=).
	The current build is unable to recover from trying to dump a invalid
memory range, such as a range containing non-mapped pages. In this case, the 
operating systen will bug-check itself, throwing a PAGE_FAULT_IN_NONPAGED_AREA
bug code. This will be fixed in the next release, until then please think twice
what you dump =). (access to reserved memory will not cause any harm).



6. Error handling. Messages and possible causes
-----------------------------------------------

	To be written.


7. Terms of use
---------------

	nticedump is provided "as is", without any guarantees. The software may
contain bugs, so use it at your own risk. We, the icedump team cannot be held
responsible for any unintentional damage caused by the use of this product.


8. Technical support
--------------------

	Before asking us any questions, do RTFM. However, due to the complexity
of the NT operating system, unforeseen conditions may occur, which can cause
nticedump to fail its task. In this case, first visit http://icedump.tsx.org,
download the last available version, and see if the problem was fixed. If not,
we will be happy to assist you, but be sure that you have the following
information written down for us:

	1. nticedump version. Can be retrieved by typing PAGEIN without any 
params.

	2. NTICE version and Windows NT version (including any Service Pack
you use !!!!). A build number will be preferable, especially for Win2K.

	3. In the case of a BSOD, please copy the first 3 lines from the 
screen, exactly as they appear. For very interesting situations, we might
need a crash dump from your machine. (Hah, like I have time to spend staring 
at your crashdumps :P)

	Note that although we provided the source code inside the package, this
was for educational purposes only. We do not intend to support any product 
resulted from modified source code. So if you want to customize your nticedump
copy, be sure that you know damn well what you are doing. 
	If you want that your modifications become part of the official
nticedump package, send them to our team. We reserve the right to reject them 
without any explanations, but this will happen only if you propose something
of an incredible stupidity.
	We also appreciate ideas for new extension commands. 

Credits:
	
	Fossil & The Owl: for the great support they offered me inside UKC
			  and the Icedump team. Thx you guys.      
	G-Rom: 		for Process Dump, the patcher, and overall support.
	KrK:		for accepting to be a part of our Nticedump Beta team
	Muffin: 	for beeing a good friend, and the editor of this 
			document. Sorry for the patcher, but the updated 
			image files are not compatible with your code. Also,
                        thx for Beta-testing.
	JackyX:         Beta tester, good work !
	The Rain:	Who did not care enough to send me his patcher, or
			even to get feed-back on beta tests, but I care about 
			him :P
	
  Acpizer, Animadei, Devil, KrK, G-Rom, Ghiribizzo, Iceman (.de), Lordbyte,
  Mammon, Razzi, Slava, Sharp, The Owl, Zip